[4142] in WWW Security List Archive
Re: adduser web page
daemon@ATHENA.MIT.EDU (David W. Morris)
Mon Jan 27 17:48:22 1997
Date: Mon, 27 Jan 1997 12:49:52 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
Reply-To: "David W. Morris" <dwm@xpasc.com>
To: nella@asis.com
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199701270544.VAA12823@asis.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sun, 26 Jan 1997 nella@asis.com wrote:
> Is there any reason why it would not be possible to securely allow users to
> change their passwords via a web page and cgi script? Does anyone know if
> such a script already exists?
Passwords for what??? Access to the web site? Or general system password?
In general, you would NOT want to use an unsecured WWW transaction
to change a password. Certainly NEVER for a password the user might
use for system login access. There are other exposures since your CGI
program would have to act with sufficient priviledges to change the
password on behalf of the user.
In summary, since you had to ask the question, you probably don't have
easy access to the skills required to implement a secure solution and
perform the necessary risk acessment, etc. Therefore I would conclude
that you shouldn't do it.
Dave Morris
